Re: A Quick Whitepaper: Recovering and Analyzing Deleted Registry Hives

[Kristian Erik Hermansen <kristian.hermansen () gmail com>]

On Sep 17, 2011 6:47 PM, "Andrew Case" <andrew () digitalforensicssolutions com>
wrote:
> I was writing to say that I just released a small whitepaper on an
> interesting scenario I had in a recent case. I have a full writeup
> here:
http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html

One thing you might want to keep in mind for future cases is that registry
timestamps are only set for keys, and not entries. Thus if one entry is
updated then the key timestamp is altered and you can't really trust that
enough to associate it with all entries under the key.

Also, I wrote a tool a while back called regfuck. Microsoft does something
crazy as always and stores the timestamps as milliseconds since 1492, or the
renaiisance, who knows...whatever...but regfuck effectively nullifies all
key timestamps by setting them back to null or a future date (at the time NT
kernel API shouldn't allow future date timestamps). Obviously if the bad guy
was smarter he wouldn't let himself get caught...

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave